Hi, I'm having a strange issue. I have agents that normally report to the
manager just fine, but after an undetermined amount of time, this appears
in the logs
2019/12/16 01:20:55 rootcheck: INFO: Starting rootcheck scan.
2019/12/16 01:40:58 rootcheck: INFO: Ending rootcheck scan.
2019/12/16
Can somebody give some feedback in relation to the below please ;
In the event an OSSEC core server was to go offline for an extended period of
time will the agents keep storing syscheck alerts locally until the core comes
back online?
If the agents do spool alert logs locally the risk is
On Thu, Jul 18, 2019 at 1:39 AM sunitha s wrote:
>
> Hii All,
>
> I Have Installed the OSSEC version 3.1 in Ubuntu 16.04 in My Local PC.
> I Have Installed OSSEC Agents in the same Network segment, the Agents are
> connected and sending logs to OSSEC Server, and also installed agents in
>
Hii All,
I Have Installed the OSSEC version 3.1 in Ubuntu 16.04 in My Local PC.
I Have Installed OSSEC Agents in the same Network segment, the Agents are
connected and sending logs to OSSEC Server, and also installed agents in
different network segments,all the Configuration are done
On Mon, Mar 27, 2017 at 10:50 AM, Marc Baker wrote:
> OSSEC agents this morning were working without issue and then began
> reporting as Disconnected. Agent logs are returning the following error:
>
> 2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for
>
OSSEC agents this morning were working without issue and then began
reporting as Disconnected. Agent logs are returning the following error:
2017/03/27 10:14:38 ossec-agent: WARN: Process locked. Waiting for
permission...
2017/03/27 10:14:49 ossec-agent(4101): WARN: Waiting for server reply
Before doing what I said above, check if your client.keys doesn't have
duplicated IPs.
On Monday, June 20, 2016 at 9:35:12 AM UTC+2, Jesus Linares wrote:
>
> Hi Tahir,
>
> It could be an issue with the keys. OSSEC (agents and manager) keep a
> counter of each message sent and received in
Hi Tahir,
It could be an issue with the keys. OSSEC (agents and manager) keep a
counter of each message sent and received in /var/ossec/queue/rids. This is
a technique to prevent replay attacks. Let's try the following:
- In an agent of your particular subnet: stop it and go to
On Fri, Jun 17, 2016 at 5:27 AM, Tahir Hafiz wrote:
> Thanks. I am seeing this in the alerts.log for the ones not connecting, I
> mean they seem to be able to connect in network terms but not the OSSEC
> server instance process:
> ossec-remoted(1408): ERROR: Invalid ID for
Hi Thair,
Your Agents configuration are with static IP, Network or set to ANY?
Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com
On June 17, 2016 at 11:27:22 AM, Tahir Hafiz (tahir.ha...@gmail.com) wrote:
ERROR: Invalid ID for the source ip
--
---
You received this
Thanks. I am seeing this in the alerts.log for the ones not connecting, I
mean they seem to be able to connect in network terms but not the OSSEC
server instance process:
ossec-remoted(1408): ERROR: Invalid ID for the source ip: 'a.b.c.d'.
ossec-remoted(1213): WARN: Message from a.b.c.d not
It should work with port 1514 UDP. First, check if you have connectivity
between agents and manager (ping, telnet, tcpdump...) and review your
network settings (routers, firewall rules, etc). Then, check out the
ossec.log of each agent to see what it is the issue.
On Thursday, June 16, 2016 at
On Thu, Jun 16, 2016 at 12:27 PM, Tahir Hafiz wrote:
> We have an OSSEC server located in one particular subnet and the majority of
> the agents are located in the same subnet and work fine.
> However, we have a few OSSEC agents located in a different subnet and they
> are
We have an OSSEC server located in one particular subnet and the majority
of the agents are located in the same subnet and work fine.
However, we have a few OSSEC agents located in a different subnet and they
are having problems being able to connect to the server.
We have opened up port 1514
Jesus is totally right.
The time out he is talking about is:* 3*NOTIFY_TIME+30*, *NOTIFY_TIME* by
default is 600 seconds.
Check the last modification file date on every agent-info/* file and wait
until that time be more than 30'30''.
Best regards,
Pedro S.
On Thursday, April 7, 2016 at
Hi,
in order to know if an agent is connected, disconnected or never connected
OSSEC reads the modification date of the files in
*/var/ossec/queue/agent-info/*:*
- if there is no file for the agent the status is *never connected*
- if the modification time of the file is less than a
Hello Dan,
Thanksf for the reply. Yeah its the old data, I ran ./agent_control
-lc|grep ID:|wc -l to list the count of agents active and it shows as 3k
even though the manager's ossec process is stopped. I am trying to figure
out where the cache is stored. I need to remove that data before
On Tue, Apr 5, 2016 at 11:01 AM, sandeep ganti wrote:
> Hello,
>
> I do have like 6k servers in my environment connected to one of the OSSEC
> Server/manager. Out of the 6k only approx 3k are showing up as active and
> the rest they are shown as disconnected. I decided
Hello,
I do have like 6k servers in my environment connected to one of the OSSEC
Server/manager. Out of the 6k only approx 3k are showing up as active and
the rest they are shown as disconnected. I decided to kill the OSSEC
Process on the Server/manager and perform a restart so that upon the
Hi Steve,
yes, what you said makes sense. Those kind of messages are typically
related with network issues, so I think there might be something we are
missing.
If that is ok with you I'll send you a private message, since I've been a
long-term Alienvault employee and maybe I can help.
Best
On
Sure. That would be great. As I mentioned, I have a case open with AV
already, but I think the tech that's working on my case is in Ireland, so
our work hours don't overlap much. Anything you can do to help would be
appreciated. If you have access to the support cases, it's case # 00056663.
I added the agents using the IP address of the OSSEC server, which is
statically configured. The server has multiple interfaces, but I used the
IP address appropriate for the VLAN my agents were connecting from. I've
confirmed the connections come in on the expected interface fro the
expected
Hi Steve,
do you use DHCP or fixed IP addresses in your environment? Do your servers
have one or more than one IP?
When you added the agents, did you used fixed IPs for each one? Is tcpdump
output showing the same IP you used when adding those?
Best
On Mon, May 11, 2015 at 8:54 AM, Steve
I have OSSEC running as part of an Alienvault installation, with about 20
agents configured. Recently I've observed that most of the agents will show
as disconnected. After a few hours all of them except for one or two will
show active again. Then within a short period of time, most of them
I just investigated this as I've been working on the eventchannel code
quite a bit. The eventchannel stuff will both bookmark the last location so
the agent can pick up again where it left off. Also, if the manager is down
and seen as disconnected by the agent than it will also behave the same
Hi,
thx for your response.
Considering some changelogs that i saw and the tests that i made, ossec
still dont buffer the logs/ continue with the last not sent event.
Indeed i tested NXLOG as the shipper for windows-events and it works pretty
well in the comunity edition but dont have the
On Wed, Jun 18, 2014 at 2:19 AM, horst knete baduncl...@hotmail.de wrote:
Hi,
thx for your response.
Considering some changelogs that i saw and the tests that i made, ossec
still dont buffer the logs/ continue with the last not sent event.
The OSSEC project does accept code contributions.
Hey Guys,
we are implementing an OSSEC Installation in our Environment due the the
great functionality of the System.
We got Agents on both Linux and Windows and the Log Shippment is working
fine.
But as we tested what happen if the OSSEC Server goes down (i. e. for
maintenance) the
On Tue, Jun 17, 2014 at 4:17 AM, horst knete baduncl...@hotmail.de wrote:
Hey Guys,
we are implementing an OSSEC Installation in our Environment due the the
great functionality of the System.
We got Agents on both Linux and Windows and the Log Shippment is working
fine.
But as we tested
On Tue, Jun 17, 2014 at 4:17 AM, horst knete baduncl...@hotmail.de wrote:
Hey Guys,
we are implementing an OSSEC Installation in our Environment due the the
great functionality of the System.
We got Agents on both Linux and Windows and the Log Shippment is working
fine.
But as we tested
On 2014-06-17 3:17, horst knete wrote:
Hey Guys,
we are implementing an OSSEC Installation in our Environment due the
the great functionality of the System.
We got Agents on both Linux and Windows and the Log Shippment is
working fine.
But as we tested what happen if the OSSEC Server goes
On Thu, Apr 11, 2013 at 4:09 PM, Sam Oehlert somidsc...@gmail.com wrote:
I can't find a ay to accomplish this, but basically the situation breaks
down like this:
We have a group of machines that are all booted off of one image over the
network. We would like to have the agent running on them,
I can't find a ay to accomplish this, but basically the situation breaks
down like this:
We have a group of machines that are all booted off of one image over the
network. We would like to have the agent running on them, but since they
don't have persistent storage, that would have to be in
On Sun, Apr 7, 2013 at 8:44 PM, Erkki Saikkonen eki.saikko...@gmail.com wrote:
Hi,
New to using Ossec, need help with use and alerts. Why doesnt OSSEC agents
generate alerts if you remove directory or file listed in syscheckd
Agents never generate alerts, only servers (and local installs)
Hi,
New to using Ossec, need help with use and alerts. Why doesnt OSSEC agents
generate alerts if you remove directory or file listed in syscheckd
configuration in ossec.conf? Other thing is that OSSEC doesnt report
changes of ownership or rights for directories at all. Only for files
changes
On Mon, Mar 4, 2013 at 2:46 AM, Umair Mustafa umair.ksa2...@gmail.com wrote:
I installed Ossec Server and some agents on other servers. But the thing is
that out of 10 agents only 7 servers are able to communicate with Ossec
Server and 3 are not.
This is the Ossec Server information
I installed Ossec Server and some agents on other servers. But the thing is
that out of 10 agents only 7 servers are able to communicate with Ossec
Server and 3 are not.
This is the Ossec Server information
DIRECTORY=/var/ossec
VERSION=v2.5.1
DATE=Thu Jan 13 17:03:30 AST 2011
TYPE=server
On Thu, May 31, 2012 at 1:07 PM, Maahkus mark.v...@gmail.com wrote:
Is there a log file that displays what authenticated user or the date
and time a new agent was added? I need to track a newly added agent to
the user that added - can't seem to figure out how..
Regards,
Nope. There may be a
Every time an agent is first connected, OSSEC generates an alert for it:
Rule: 501 (level 3) - 'New ossec agent connected.'
So you can probably use that to get more information when it was first
connected... But
there is no easy (standard) way to detect when the client.keys file
was modified
Is there a log file that displays what authenticated user or the date
and time a new agent was added? I need to track a newly added agent to
the user that added - can't seem to figure out how..
Regards,
Hi Dan,
I need a help on how to group the OSSEC agents?
For Example,
I have a OSSEC server already installed and up
Now i want to install OSSEC agents on nearly 300 servers
I want to group all these agents like the following,
Production Application
Production Web
Production SQL
Production
What do you mean by group them? In what?
On Tue, Jul 26, 2011 at 10:42 AM, gopal krishnan
gopikrishna...@gmail.com wrote:
Hi Dan,
I need a help on how to group the OSSEC agents?
For Example,
I have a OSSEC server already installed and up
Now i want to install OSSEC agents on nearly 300
I have a ossec installed as master/agent setup. There are about 30
agents running with one master. I recently changed the ossec.conf to
monitor changes in directories to real time
directories realtime=yes check_all=yes/etc,/usr/bin,/usr/sbin/
directories
directories realtime=yes
You need to change it in each system's ossec.conf, or utilize the agent.conf.
Changing it in the manager's ossec.conf will only affect the manager.
On Thu, Feb 10, 2011 at 9:01 AM, Rob robr...@gmail.com wrote:
I have a ossec installed as master/agent setup. There are about 30
agents running
I believe you have to do on all agent.
Also you can do centralized with configure agent.conf file at server.
--
Sent from my iPhone
On Feb 10, 2011, at 9:01 AM, Rob robr...@gmail.com wrote:
I have a ossec installed as master/agent setup. There are about 30
agents running with one master. I
The ossec agents are NOT communicating with the server...
1) IT IS NOT a firewall issue, FIRST I added the 1514/udp rule to the
server firewall, THEN I even tried to take down iptables completely in
both agents AND the server.
2) I reinstalled the keys (as explained here
hi list
i have a quick architecture questions.
i saw, that there are much less informations in the ossec.conf from
the agent as in the server. Does the agent takes the ossec.conf from
the server to do all tests?
What have i to do, when some agents need to check some logfiles which
aren't
I have a few hosts that use DHCP. The problem is if I add an agent with
a particular IP it's only good till the machine get's a new address. I
would prefer not to extend the lease or add the MAC addresses into DHCP
as some of the machines will move to different DHCP zones when
traveling.
Would
48 matches
Mail list logo